高效安全的软件定义网络拓扑发现协议

doi:10.11959/j.issn.2096-109x.2023080

摘要/Abstract

摘要：

基于OpenFlow的软件定义网络（SDN，software defined network）控制器主要采用OFDP（OpenFlow discovery protocol）发现网络拓扑，现有研究表明，OFDP存在网络拓扑信息更新效率低、容易遭受网络拓扑污染攻击等问题，为了提高网络拓扑发现协议的效率和安全性，对OFDP的网络拓扑发现机理和安全问题进行了深入研究，详细分析了软件定义网络拓扑建立和更新阶段的特点，基于图论的最小顶点覆盖问题提出了一种改进的OpenFlow网络拓扑发现协议——Im-OFDP（improved OpenFlow discovery protocol）。Im-OFDP基于OFDP网络拓扑发现的先验信息构建端口信息表和链路信息表，然后建立网络拓扑图模型，基于最小顶点覆盖算法筛选支撑网络拓扑的交换机，再根据网络拓扑结构设计网络拓扑发现的多级流表，由控制器下发至相应交换机。控制器发出的网络拓扑发现报文经多级流表转发处理后上报给控制器，进而获取网络拓扑信息。针对安全问题，Im-OFDP一方面基于拓扑发现获取的信息在LLDP（link layer discovery protocol）报文中采用动态检验码检测链路的真实性，另一方面基于主机和交换机等网络设备的拓扑信息建立验证机制，确保网络设备可信。实验结果表明，部署Im-OFDP后，控制器在网络拓扑发现的消息数量、带宽开销、CPU资源负载显著降低，节点失效响应时间、节点失效后链路恢复时间明显较短，能够防御链路伪造、交换机伪造等多种形式的网络拓扑污染攻击。Im-OFDP能够显著提高SDN拓扑发现的效率和安全性。

关键词: 软件定义网络, 网络拓扑, 网络安全

Abstract:

The network topology discovery in OpenFlow-based software-defined networks is mainly achieved by utilizing the OpenFlow discovery protocol (OFDP).However, it has been observed in existing research that OFDP exhibits low updating efficiency and is susceptible to network topology pollution attacks.To address the efficiency and safety concerns of the network topology discovery protocol, an in-depth investigation was conducted on the mechanism and safety of OFDP network topology discovery.The characteristics of network topology establishment and updating in OFDP were analyzed, and an improved protocol named Im-OFDP (improved OpenFlow discovery protocol) based on the minimum vertex covering problem in graph theory was proposed.In Im-OFDP, the switch port table and network link table were initially established using prior information obtained from OFDP network topology discovery.Subsequently, a graph model of the network topology was constructed, and the minimum vertex covering algorithm in graph theory was employed to select specific switches for the reception and forwarding of topology discovery link layer discovery protocol (LLDP) packets.Multi-level flow tables were designed based on the network topology structure, and these flow entries were installed on the selected switches by the controller to process LLDP packets.To address security issues, dynamic check code verification in LLDP packets was employed to ensure the safety of network links.Additionally, a network equipment information maintenance mechanism was established based on known network topologies to ensure the safety of the network equipment.Experimental results demonstrate a significant reduction in the number of network topology discovery messages, bandwidth overhead, and CPU overhead through the deployment of Im-OFDP.Moreover, the response time for node failures and link recovery time after mode failure is substantially reduced.Im-OFDP also effectively mitigates various network topology pollution attacks, such as link fabrication and switch forgery attacks.Overall, Im-OFDP has the capability to enhance the efficiency and safety of SDN topology discovery.

Key words: software defined network, network topology, network security

中图分类号:

TP309

李冬, 于俊清, 谷永普, 赵鹏程. 高效安全的软件定义网络拓扑发现协议[J]. 网络与信息安全学报, 2023, 9(6): 20-33.

Dong LI, Junqing YU, Yongpu GU, Pengcheng ZHAO. Efficient and safe software defined network topology discovery protocol[J]. Chinese Journal of Network and Information Security, 2023, 9(6): 20-33.

图/表 19

图1

图2

表1

图3

表2

图4

图5

图6

表3

图7

图8

图9

图10

图11

表4

图12

图13

图14

图15

参考文献 50

[1]	MCKEOWN N . OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	NUNES B A A , MENDONCA M , NGUYEN X N ,et al. A survey of software-defined networking:past,present,and future of programmable networks[J]. IEEE Communications Surveys ＆ Tutorials, 2014,16(3): 1617-1634.
[3]	QIN Z , DENKER G , GIANNELLI C ,et al. A software defined networking architecture for the internet-of-things[C]// Proceedings of IEEE Network Operations and Management Symposium. 2014: 1-9.
[4]	AHMED N , ROY A , MONDAL A ,et al. SDN-based link recovery scheme for large-scale internet of things[C]// Proceedings of IEEE 22nd International Conference on High Performance Switching and Routing (HPSR). 2021: 1-6.
[5]	KU I , LU Y , GERLA M ,et al. Towards software-defined VANET:architecture and services[C]// Proceedings of 13th Annual Mediterranean Ad Hoc Networking Workshop. 2014: 103-110.
[6]	GUO J M , YANG L , RINCóN D , et al . SDN controller placement in LEO satellite networks based on dynamic topology[C]// Proceedings of IEEE/CIC International Conference on Communications in China (ICCC). 2021: 1083-1088.
[7]	MONTERO R , AGRAZ F , PAGES A ,et al. Dynamic topology discovery in SDN-enabled transparent optical networks[C]// Proceedings of International Conference on Optical Network Design ＆Modeling. 2017: 1-6.
[8]	TARNARAS G , HALEPLIDIS E , DENAZIS S . SDN and ForCES based optimal network topology discovery[C]// Proceedings of IEEE Conference on Network Software. 2015: 1-6.
[9]	KIPONGO J , OLWAL T O , ABU-MAHFOUZ A M . Topology discovery protocol for software defined wireless sensor network:Solutions and open issues[C]// Proceedings of 27th Internaional Symposium.Industrial Electronics. 2018: 1282-1287.
[10]	SHIN S , XU L , HONG S ,et al. Enhancing network security through software defined networking[C]// Proceedings of 25th International Conference on Computer Communication and Networks, 2016: 1-9.
[11]	ZHU K , YAO Z , HE N ,et al. Toward full virtualization of the network Topology[J]. IEEE Systems Journal, 2019,13(2): 1640-1649.
[12]	OpenFlow discovery protocol and link layer discovery protocol[EB].
[13]	DACIER M C , K?NIG H , CWALINSKI R ,et al. Security challenges and opportunities of software-defined networking[J]. IEEE Security ＆ Privacy, 2017,15(2): 96-100.
[14]	AZZOUNI A , TRANG N T M , BOUTABA R ,et al. Limitations of OpenFlow topology discovery protocol[C]// Proceedings of 16th Annual Mediterranean Ad Hoc Network Workshop. 2017: 1-3.
[15]	KHAN S , GANI A , WAHAB A W A ,et al. Topology discovery in software defined networks:threats,taxonomy,and state-ofthe-art[J]. IEEE Communications Surveys ＆ Tutorials, 2017,19(1): 303-324.
[16]	TOUFGA S , ABDELLATIF S , OWEZARSKI P ,et al. OpenFlow based topology discovery service in software defined vehicular networks:limitations and future approaches[C]// Proceedings of IEEE Vehicular Network Conference. 2018: 1-4.
[17]	SMYTH D , MCSWEENEY S , O'SHEA D , et al . Detecting link fabrication attacks in software-defined networks[C]// Proceedings of 26th International Conference on Computer Communication and Networks. 2017: 1-8.
[18]	GHANNAM R , CHUNG A . Handling malicious switches in software defined networks[C]// Proceedings of Network Operations ＆Management Symposium. 2016: 1245-1248.
[19]	OIKONOMOU N V , MARGARITI S V , STERGIOU E ,et al. Performance evaluation of software-defined networking implemented on various network topologies[C]// Proceedings of 6th South-East Europe Design Automation,Computer Engineering,Computer Networks and Social Media Conference. 2021: 1-6.
[20]	KAUR N , SINGH A K , KUMAR N ,et al. Performance impact of topology poisoning attack in SDN and its countermeasure[C]// Proceedings of the 10th International Conference on Security of Information and Networks. 2017: 179-184.
[21]	PAKZAD F , PORTMANN M , TAN W L ,et al. Efficient topology discovery in OpenFlow-based software defined networks[C]// Proceedings of 8th International Conference on Signal Processing and Communication Systems. 2014.
[22]	AZZOUNI A , BOUTABA R , TRANG N ,et al. sOFTDP:secure and efficient topology discovery protocol for SDN[C]// Proceedings of IEEE/IFIP Network Operations and Management Symposium. 2018: 1-7.
[23]	NEHRA A , TRIPATHI M , GAUR M S ,et al. SLDP:a secure and lightweight link discovery protocol for software defined networking[J]. Computer Networks, 2018,150(2): 102-116.
[24]	ZHAO X , YAO L , WU G . ESLD:an efficient and secure link discovery scheme for software-defined networking[J]. International Journal of Communication Systems, 2018,31(10): 18.
[25]	HAO D . Research and implementation of OFDP based on multi-purpose address broadcast algorithm[D]. Kunming：University of Yun Nan, 2018.
[26]	JIA Y , XU L , YANG Y ,et al. Lightweight automatic discovery protocol for OpenFlow-based software defined networking[J]. IEEE Communications Letters, 2020,24(2): 312-315.
[27]	DONG S , ZHANG A L , HUANG D Y ,et al. Optimization of link layer topology discovery in SDN based on OpenFlow[J]. Fire Control ＆ Command Control. 2020,45(305): 150-155.
[28]	WANG Z Q . Research on topology discovery and link delay measurement of SDN network[D]. Huhehaote:University of Inner Moncolia, 2020.
[29]	CHANG Y C , LIN H T , CHU H M ,et al. Efficient topology discovery for software-defined networks[J]. IEEE Transactions on Network and Service Management, 2020,(99): 1375-1388.
[30]	OCHOA-ADAY L , CERVELLó-PASTOR C , FERNNDEZ-FERNáNDEZ A . eTDP:enhanced topology discovery protocol for software-defined networks[J]. IEEE Access, 2019,7: 23471-23487.
[31]	TARNARAS G , ATHANASIOU F , DENAZIS S . An efficient topology discovery algorithm for software-defined networks[J]. IET Networks, 2017,6(6): 157-161.
[32]	OCHOA-ADAY L , CERVELLó-PASTOR C , FERNáNDEZFERNáNDEZ A . Self-healing topology discovery protocol for software defined networks[J]. IEEE Communications Letters, 2018,3(3): 1-4.
[33]	ROJAS E , ALVAREZ-HORCAJO J , MARTINEZ-YELMO I > ,et al. TEDP:an enhanced topology discovery service for software-defined networking[J]. IEEE Commun Lett, 2018,22(8): 1540-1543.
[34]	ALJERI N , BOUKERCHE A . EDiPSo:an efficient scalable topology discovery protocol for software-defined vehicular network[J]. Computer Networks, 2021:108342.
[35]	HONG S , XU L , WANG H ,et al. Poisoning network visibility in software-defined networks:new attacks and countermeasures[C]// The Network and Distributed System Security Symposium(NDSS). 2015: 8-11.
[36]	XIANG S , ZHU H , WU X ,et al. Modeling and verifying the topology discovery mechanism of OpenFlow controllers in software-defined networks using process algebra[J]. Science of Computer Programming, 2019,187:102343.
[37]	SKOWYRA R , XU L , GU G et al . Effective topology tampering attacks and defenses in software-defined networks[C]// International Conference on Dependable Systems and Networks(DSN). 2018: 374-385.
[38]	ALIMOHAMMADIFAR A , MAJUMDAR S , MADI T ,et al. Stealthy probing-based verification (SPV):an active approach to defending software defined networks against topology poisoning attacks[C]// Proceedings of European Symposium on Research in Computer Security (ESORICS). 2018: 463-484.
[39]	MARIN E , BUCCIOL N , CONTI M . An in-depth look into SDN topology discovery mechanisms:novel attacks and practical countermeasures[C]// ACM Conference on Computer and Communications Security(CCS). 2019: 1101-1114.
[40]	DHAWAN M , PODDAR R , MAHAJAN K . SPHINX:detecting security attacks in software-defined networks[C]// Proceedings of the Network and Distributed System Security Symposium(NDSS). 2015: 1-15.
[41]	SMYTH D , MCSWEENEY S , O'SHEA D ,et al. Detecting link fabrication attacks in software-defined networks[C]// Proceedings of IEEE 26th International Conference on Computer Communication and Networks (ICCCN). 2017: 1-8.
[42]	KAMISI?SKI A , FUNG C . FlowMon:detecting malicious switches in software-defined networks[C]// Proceedings of ACM CCS workshop on Automated Decision Making for Active Cyber Defense. 2015: 39-45.
[43]	HUANG X , SHI P , LIU Y ,et al. Towards trusted and efficient SDN topology discovery:a lightweight topology verification scheme[J]. Computer Networks, 2020,170:107119.
[44]	WANG J , TAN Y , LIU J . Topology poisoning attacks and countermeasures in SDN-enabled vehicular networks[C]// Proceedings of IEEE Global Communications Conference(GLOBECOM). 2020: 1-6.
[45]	ZHENG Z , XU M W , LI Q ,et al. Defending against SDN network topology poisoning attacks[J]. Computer Research and Development. 2018,55(1): 207-215.
[46]	GU Y P , LI D , YU J Q . Im-OFDP:an improved openflow-based topology discovery protocol for software defined network[C]// Proceedings of IFIP International Conferences on Networking. 2020: 628-630.
[47]	SOLTANI S , SHOJAFAR M , MOSTAFAEI H ,et al. Real-time link verification in software-defined networks[J]. IEEE Transactions on Network and Service Management, 2023,20(3): 3596-3611.
[48]	KONG D . Combination attacks and defenses on SDN topology discovery[J]. IEEE/ACM Transactions on Networking, 2023,31(2): 904-919.
[49]	GAO Y , XU M . Defense against software-defined network topology poisoning attacks[J]. Tsinghua Science and Technology, 2023,28(1): 39-46.
[50]	ZHANG H L , XIE Q M , LI W . Research on minimum convex covering problem[J]. China New Telecommunications, 2014,(13): 51-52.

网络拓扑发现协议	Packet-Out	Packet-In	消息数
OFDP	H+2L	2L	H+4L
OFDPv2	N	2L	S+2L
LADP	1	2L	1+2L
OFDP-PD	H+L	L	H+2L
Im-OFDP（含校验码）	2L	2L	4L
Im-OFDP（无校验码）	N_x∈(1, N-1)	L	N_x+L

拓扑	消息数量
拓扑	OFDP	OFDPv2	LADP	OFDP-PD	Im-OFDP
Topo1	592	253	169	424	101
Topo2	312	187	125	188	83
Topo3	496	298	199	298	149
Topo4	144	84	65	80	40
Topo5	124	72	53	72	36

协议	攻击方式
协议	LLDP重放	LLDP伪造	交换机伪造	主机伪造
OFDP	×	×	×	×
OFDPv2	×	×	×	×
LADP	√	√	×	√
OFDP-PD	×	×	×	×
Im-OFDP	√	√	√	√